// This is *AFTER* a SSLSocketImpl was created!!!
sslSocket.setNeedClientAuth(true);

InputStream sslIS = sslSocket.getInputStream();
sslIS.read();

The SSLSocketImpl is initialized with no clientauth required, which creates a ServerHandshaker with no auth, which creates a HandshakeHash(false), which only creates 3 clones. Now return to the app's setNeedClientAuth call, which updates the ServerHandshaker to require the client auth, but it doesn't update HandshakeHash to now require 4 digests.

Actually, this bug could be updated to better calculate the exact number of HandshakeHash clones that are needed.